I enjoy reading posts where people discuss their system layouts and rationales, so after reading @Sean 's post (linked below) on my other thread, I decided to create a thread for this.
Don’t forget to create a new account and scramble your language if you want to be really anonymous, but don’t forget the security principle stating that a truly secure system is one that an adversary is unable to penetrate even after having full access to all schematics (it has a name, but I forgot it).
Here’s another post by user ‘qubesuser01’ on a Reddit thread which is basically identical to this one:
I have some issues finding the perfect layout myself to be honest.
Let me share what I have anyway. You might be inspired.
I usually clone an existing templateVM that I will then use as the base for my other VMs. I recently moved over to a full fedora setup (too many issues with debian and software versions imo).
So I have a templateVM (call it private) cloned from fedora-30. In this templateVM I install general purpose tools/software that I am using generically and in most setups (Firefox, Chrome, LibreOffice, etc).
Then I have appVMs based on this. So I have one for personal use, that I use for email and other services where I am logged in. Will probably also use this for chat etc.
Then I have one for some voluntary work I am doing, where I am logged in to the mail service they have, and generally have a couple of documents and generic office related work.
I have a vault app VM that basically just holds different important files (keepass database, ssh keys and so on). This is airgapped
I have a standalone media VM where I have spotify installed and mpv. Don’t trust media files in general, so I just isolate them here.
I have a standalone VM for software development, where I have installed my editor, favourite terminal emulator, and toolchains for development language I code in and so on.
I also have a standalone VM for hacking purposes (I am getting into the field of IT security).
So to sum up:
- 1 private, based on a given templateVM (in my case fedora-30)
- Has generic all around multi-purpose tools (based on your use case, you can minimise this, stick to software that you deem trustworthy, etc)
- personal - based on private - logged in to mail, used for chat (whatsapp, telegram, discord)
- voluntary - based on private - logged in to specific mail account, used for generic office work
- vault - based on private - airgapped, used to hold different sensitive files
- development - based on private - installed specific software for development (favourite text editor, favourite terminal emulator, language toolchains, etc)
- media - based on private - installed spotify, mpv, gimp, generally used for everything media related
- hack - based on private - used for testing different tools, playing with reverse engineering and generally just trying to get into the field
Sorry for the wall of text, hope you can use though
My setup is simple and vanilla compared to those above–I have disposable sysVMs running on minimal templates with the absolute bare minimum installed for the roles. Then I have multiple mirage firewalls–one gating sys-net and the other gating my tor/VPN VMs. Then I have a bunch of appVMs.
I’m still relatively new to Qubes so I haven’t started using it for much more other than casual browsing and downloading, so my appVMs are basically Whonix, browsers, and torrenting. Whatever functions don’t need to be done online (e.g. opening videos) are done in specialized offline VMs.